The FCA requires firms to have effective processes to identify, manage, monitor and report the risks it is or might be exposed to. Operational risk is defined as: “The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.”
In 2011 the FSA defined conduct risk as: “The risk that firm behaviour will result in poor outcomes for customers.” As the FCA has built and developed its regulatory agenda, many firms have had to reconsider their approach to regulatory risk management and, in particular, how the regulator will view their culture and conduct risk management performance.
Since its inception in April 2013, the FCA’s approach has been underpinned by a strong conduct risk agenda. As the regulator has made clear in various speeches, papers and actions, it is determined to create a culture of good conduct at every level of the financial services industry to make markets work well and to produce a fair deal for customers. The FCA therefore expects all firms to have a strong conduct risk framework in place to facilitate a culture that delivers good outcomes both for consumers and the markets as a whole.
Conduct risk is not a defined term; the FCA has stated it is not suggesting there is a single standard regulator approved culture that will suit every organisation. Rather, firms must develop their own conduct risk definition and strategy tailored to the specific risks they are exposed to and the needs of their organisation.
The FCA has emphasised that, in line with its conduct risk agenda, it expects firms to move away from the following behaviours:
- Prioritising profits over ethics and commercial interests over consumer interests
- A tick-box approach to compliance
- The idea that disclosure at the point of sale absolves the seller from responsibility for ensuring a product/service represents a good outcome for the customer (note the erosion of caveat emptor)
- Complying with only the letter (rather than the spirit) of laws and regulations.
So, how can firms both demonstrate to the FCA they have the appropriate culture, conduct themselves appropriately and that they are focused on delivering consistently good compliant advice and service to their clients?
A firm’s culture is driven by its owners and managers and aside from articulating what the firm stands for and what is expected from those working in it, the words need to be put into action and then outcomes and progress measured and reviewed at regular intervals.
In order to achieve this, there needs to be a framework.
The starting point is to identify the risks likely to affect a firm and its clients. External compliance consultants can provide “standard” lists but they need to be tailored to each firm and so there is no substitute for brainstorming the risks that do or could affect a firm in a suitable forum; sometimes this is done at board level but, better still, one involving all staff to obtain “buy-in” and engagement is likely to produce better results.
Once the risks are identified, these then need to be categorised and assessed – typically by constructing a risk grid where a numerical value is applied to the probability of each risk occurring and then multiplying it by the impact of the risk occurring. For example, the probability of a failure of IT hardware might be considered small (three out of 10) but the impact would be serious (10 out of 10), resulting in a total of 30 out of a maximum score of 100.
The next stage is to consider how each risk can be mitigated. So, taking the example of the IT hardware failing, through the use of back-up it might be relatively easy to reduce – although not eliminate – the risk (say, an eight) and this, once divided into the initial score of 30, results in a “net” score of 3.75.
Each firm will need to apply a measurement scale to arrive at what are then assessed as risks being effectively managed, and those requiring urgent attention – often done on a red, amber, green basis.
The key to success is to regularly review the risks to assess those
that have been addressed and no longer need to be considered, those which require management, and what new risks need to be added, and to assign responsibilities and timelines. Most risks can be mitigated and managed so they do not endanger a business.
A firm that has a rigorous approach to conduct risk in particular and risk in general is not only likely to have a good relationship with the regulator, but will in the process make itself more attractive to buyers.
Roderic Rennison is director of The Ideas Lab